cbcvebase.
CVE-2025-3515
published 2025-06-17

CVE-2025-3515: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.09%
91.3th percentile
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.

Affected

9 ranges
VendorProductVersion rangeFixed in
codedropzdrag_and_drop_multiple_file_upload_contact_form_7< 1.3.9.01.3.9.0
glenwpcoderdrag_and_drop_multiple_file_upload_for_contact_form_7<= 1.3.8.9
msrccbl2_gnupg2_2.4.0-1_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_gnupg2_2.2.20-4_on_cbl_mariner_1.0
msrccm1_libksba_1.3.5-5_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

path/wp-admin/admin-ajax.php
path/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/
path/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/readme.txt
filename*.phar
commandaction=dnd_codedropz_upload&type=drop
otherpublicwww-query: "wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/"
  • Look for unauthenticated POST requests to /wp-admin/admin-ajax.php with action=dnd_codedropz_upload and a multipart upload containing a .phar file (Content-Type: image/png spoofing).
  • Monitor for files appearing under /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/ with .phar or other non-image extensions, indicating a successful bypass of the plugin's blacklist.
  • A JSON response containing '"success":true' from admin-ajax.php following a .phar upload attempt confirms successful exploitation.
  • Check the plugin's readme.txt for a Stable tag of 1.3.8.9 or earlier to identify vulnerable installations.
  • The multipart boundary ----WebKitFormBoundaryyvcxCgWuFH6hBJi4 is used in the PoC template; network signatures can key on this boundary combined with the dnd_codedropz_upload action.
  • Attacker reconnaissance targets common contact page paths before uploading; watch for sequential GET requests to /contact/, /contact-us/, /submit/, /support/, /form/, /get-in-touch/ followed by a POST to admin-ajax.php.
  • The HTML element 'wpcf7-drag-n-drop-file' in page source confirms the vulnerable plugin is active; attackers extract the data-name, data-id, and ajax_nonce values from it before launching the upload.
  • ·Remote code execution via uploaded .phar files is only possible on servers configured to execute .phar files as PHP scripts; default Apache+mod_php setups are specifically at risk.
  • ·The exploit requires a valid nonce (ajax_nonce) extracted from a page hosting the CF7 drag-and-drop form; the nonce is publicly accessible to unauthenticated users visiting the contact page.
  • ·The CVSS score of 8.1 reflects High attack complexity (AC:H), meaning exploitation is not trivially reliable across all configurations — the server must handle .phar as executable PHP.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.